IT and security stuff

What are AD FSMO roles?

It’s a common thing to have more than one Domain Controller on a domain. Every usual DC will have full writing potential in the directory. However, some tasks are more sensitive than others and it would be risky to authorize the modification of certain data at the same time.

This is where FSMO roles come in handy. They allow to split the tasks of a DC in 5 separate roles which together represent the full AD structure.

The 5 FSMO roles:

  • Schema Master – forest wide
  • Domain Naming Master – forest wide
  • Relative ID(RID) Master – domain wide
  • Primary Domain Controller(PDC) Emulator – domain wide
  • Infrastructure Master – domain wide

Schema Master

The Schema Master defines all the attributes that you can put to an object in an AD database such as :

  • Phone number
  • Login ID
  • Email Address

Domain Naming Master

This is the master of the domain names. It makes sure that we don’t create other domains with the same name as another in the same forest. Since this is not a huge task, it can easily be assumed by a DC that has another role.

RID Master

THE RID Master assigns blocks of SID to different DCs they can use for newly created objects. Each object in AD has an SID. The RID Master grants each DC the privilege of assigning certain SIDs to prevent multiple objects from having the same one.

PDC Emulator

The DC assuming this role will be the authoritative DC in the domain. The PDC Emulator manages GPOs(Group Policy Objects), responds to authentication requests, changes passwords and manages time/date for the entire domain.

Infrastructure Master

Translates Globally Unique Identifiers(GUID), SIDs and Distinguished Names(DN) between domains. If we have multuple domains in our forest, the Infrastructure Master takes care to create references for objects created such as users.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.